Win2k3 integration

[jim]

We're in Win2k mixed mode. We have a PDC Emulator to accomodate our
NT4-based legacy apps. Can we introduce a Win2k3 domain controller in this
environment? Would it "break" anything? I know there are different
versions of A.D. depending on your environment.

 

[Jimmy Andersson [MVP]]

You can absolutely introduce a W2K3 server in your environment. But remember
to set the Functional Level according to the type of legacy DCs you might
have. In short this is what you need:

- Domain Functional Levels:
-- Windows 2000 Mixed = NT 4.0, W2K, W2K3
-- Windows 2000 Native = W2K3, W2K3
-- Windows Server 2003 Interim = NT 4.0, W2K3
-- Windows Server 2003 = W2K3

- Forest Functional Levels:
-- Windows 2000 Mixed = NT 4.0, W2K, W2K3
-- Windows 2000 Native = W2K3, W2K3
-- Windows Server 2003 Interim = NT 4.0, W2K3
-- Windows Server 2003 = W2K3

Do remember that this only affect DCs, not member servers.

Regards,
/Jimmy

 

[Guest]

Yes, you can accomodate w2k3 DCs. For the you need to upgrade the schema
version for domain and forest. use the adprep.exe utility from Microsoft
website.
run the utility on the DC holding domain naming master and schema master role.
syntex:
adprep /forestprep
adprep /domainprep
for more information click the link below:
http://support.microsoft.com/default.aspx?scid=kb;en-us;324392

 

[Ulf B. Simon-Weidner [MVP]]

We're in Win2k mixed mode. We have a PDC Emulator to accomodate our
NT4-based legacy apps. Can we introduce a Win2k3 domain controller in
this
environment? Would it "break" anything? I know there are different
versions of A.D. depending on your environment.

Hello Jim,

You will always have a PDC-Emulator since it fulfills additional tasks.
If you don't have DCs with other operating systems you can even switch
into native mode. Your NT4 memberservers and clients will work against
the PDC-Emulator no matter what mode the domain / forest is in, only
NT4 BDCs will not get a copy of the Security Account Database if the
domain is switched to a higher mode.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org

 

[jim]

Ok, so a mixed mode environment made up of Win2k DC's, Win2k3 DC's, and a
PDC emulator will work.

The PDC emulator handles the legacy clients and the Win2k and 2k3 DC's will
run at A.D. 2.0?

I should've mentioned that this is being done with the goal of installing
Ex2k3 (we're currently running Ex2k). I know they won't get *all* the
benefits of a pure Win2k3 native mode environment, but it should work
without effecting legacy stuff, yes? We still have many clients that
require NTLM 1.0 and i don't want to break them.

Thanks again!

 

[Herb Martin]

Ok, so a mixed mode environment made up of Win2k DC's, Win2k3 DC's, and a
PDC emulator will work.

The PDC emulator handles the legacy clients and the Win2k and 2k3 DC's will
run at A.D. 2.0?

Actually, the PDC Emulator has ALMOST nothing to do
with legacy clients.

It is there mostly for the BDCs as far a being a PDC
Emulator -- but the role also does other things: Domain
Master Browser (since the PDC always did this), and
Time Master (and password change master, but I made
up this last title.)

In fact, if you properly upgrade the clients with DCClient
(aka Active Directory Client Upgrade) the PDC Emulator
really has nothing special to offer the older clients and they
ARE going to need that upgrade with Win2003 due to SMB
Signing being enforced.

Without DSClient the older machines think that ONLY the
PDC can change passwords -- but they still authenticate
on normal days with any other DC (or BDC) as if they were
all BDCs.

I should've mentioned that this is being done with the goal of installing
Ex2k3 (we're currently running Ex2k). I know they won't get *all* the
benefits of a pure Win2k3 native mode environment, but it should work
without effecting legacy stuff, yes?

Yes.

EXCEPT for that SMB Signing issue -- upgrade all
legacy clients with latest Service Packs and DCClient
so they will support SMB Signing.

Do this before you add the first Win2003 DC.

We still have many clients that
require NTLM 1.0 and i don't want to break them.

You should fix that by upgrading them with service
packs etc.

NTLM(v1) cannot even be considered secure these
days.

 

[Herb Martin]

Hello Jim,

You will always have a PDC-Emulator since it fulfills additional tasks.
YES.

If you don't have DCs with other operating systems you can even switch
into native mode.

Your NT4 memberservers and clients will work against
the PDC-Emulator no matter what mode the domain / forest is in,

There is really nothing much special about the PDC emulator
for legacy machines (including servers) if they have been
properly updated with DSClient.

Even without, they just don't realize that any DC (except BDCs)
can accept machine and user password changes.

 

[Ulf B. Simon-Weidner [MVP]]

[..]

There is really nothing much special about the PDC emulator
for legacy machines (including servers) if they have been
properly updated with DSClient.

Even without, they just don't realize that any DC (except BDCs)
can accept machine and user password changes.

Typo: they just don't realize that any DC (except DCs holding the PDC
role) can accept machine and user password changes.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org

 

[Herb Martin]

[..]

There is really nothing much special about the PDC emulator
for legacy machines (including servers) if they have been
properly updated with DSClient.

Even without, they just don't realize that any DC (except BDCs)
can accept machine and user password changes.

Typo: they just don't realize that any DC (except DCs holding the PDC
role) can accept machine and user password changes.

No, not a typo. With AD DCs any of these DC
can accept password changes.

BUT older clients think that only the "PDC" can do
so without the DCClient upgrade they remain
dependent on the PDC Emulator for that specific
task.

DSClient makes them "DC aware" in the sense that
ANY DC (not including BDCs in a mixed domain)
can accept those password changes.

 

[Ulf B. Simon-Weidner [MVP]]

[..]

There is really nothing much special about the PDC emulator
for legacy machines (including servers) if they have been
properly updated with DSClient.

Even without, they just don't realize that any DC (except BDCs)
can accept machine and user password changes.

Typo: they just don't realize that any DC (except DCs holding the PDC
role) can accept machine and user password changes.

No, not a typo. With AD DCs any of these DC
can accept password changes.

BUT older clients think that only the "PDC" can do
so without the DCClient upgrade they remain
dependent on the PDC Emulator for that specific
task.

DSClient makes them "DC aware" in the sense that
ANY DC (not including BDCs in a mixed domain)
can accept those password changes.

I know what it does, however if I read your sentence right you stated:
Without DSClient the Clients don't realize that any DC (except BDCs)
can accept password changes.

So if my understanding of the english language is correct the backet
should mean "except the PDC (or DC holding that role)". They don't
realize that the other DCs are able to change passwords, but they know
that the PDC is able to change it.
Maybe I'm just getting your sentence wrong, but we mean the same.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org

 

[Herb Martin]

I know what it does, however if I read your sentence right you stated:
Without DSClient the Clients don't realize that any DC (except BDCs)
can accept password changes.

The above is correct -- we are likely just getting hung up
on the language.

My sentence is awkward with the parentheses.

So if my understanding of the english language is correct the backet
should mean "except the PDC (or DC holding that role)".

No, that is not what I wrote.

It should parse like this:

Any Win2000 or Win2003 DC can accept changes.
BDCs cannot accept changes.

Legacy clients without DSClient upgrade do not realize
that any DC that is not a BDC can accept changes.

Then we can add:
With DSClient upgrade clients WILL realize that all DCs,
except for the BDCs, will accept changes.

They don't
realize that the other DCs are able to change passwords, but they know
that the PDC is able to change it.

The above is correct.

Maybe I'm just getting your sentence wrong, but we mean the same.

Yes.

 

[Ulf B. Simon-Weidner [MVP]]

The above is correct -- we are likely just getting hung up
on the language.

My sentence is awkward with the parentheses.


No, that is not what I wrote.

It should parse like this:

Any Win2000 or Win2003 DC can accept changes.
BDCs cannot accept changes.

Legacy clients without DSClient upgrade do not realize
that any DC that is not a BDC can accept changes.

Then we can add:
With DSClient upgrade clients WILL realize that all DCs,
except for the BDCs, will accept changes.


The above is correct.


Yes.

OK - thanks - guess it's pretty clear for the OP now ;-)

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org

 

[Herb Martin]

OK - thanks - guess it's pretty clear for the OP now ;-)

I was serious when I said that my original sentence was
awkward.